I've recently moved around 40 VOIP phones onto an XG 220 firewall. They were on an old Peplink separate from the data LAN until the Peplink died. The phones are on a separate network and plug into their own network port. I created a zone named VOIP for them. The phones are hosted by an outside carrier.
They are experiencing some SIP issues. The phones won't stay registered unless I set their re-registration period to a very short interval (60 seconds), and even that doesn't always work and they have to be rebooted. Inbound caller ID is no longer showing.
They're using the #default_network_policy firewall rule. I added the VOIP zone to the source list. Intrusion protection is set to "lantowan_general". Traffic shaping policy, web policy, and application control have been tried at none but no difference. NAT is set to masquerading.
The SIP and H323 ALG's have been unloaded. The UDP timeout stream is set to 150.
What else can I do?
Contrary to what some report, I have better results (Ring Central) with SIP and H323 enabled. The key for me was stream timeout 150 and making sure no SSL inspection, no Application Control (which can be confused), etc, on my VOIP zone.
Good so far. I thought I heard thunder in the distance when I turned it on.
I setup a VoIP policy for my VoIP phones to use in the application field. I have a tuned IPS signature policy all on a firewall rule the allows SIP, SSIP, TCP SIP and mix of TCP and UDP ports that the phones use to initiate the connections.